A critical vulnerability in SajiloCV which allowed me to download 100K + users resume
Introduction:
Greetings, everyone! I hope you’re all doing well. I am Sankalpa Baral from Nepal, and it has been quite a while since I last published a write-up. Today, I have decided to share a vulnerability that I discovered a few months ago, which allowed me to download anyone’s resume. Let’s dive into the details.
Background:
One day, while casually scrolling through Reddit and I came across this post, so the post was about a friendly chess game between Nepal’s #1 and #2 highest rated players. I opened the YouTube video and saw it was sponsored by SajiloCV at that time I had no idea about the platform so I conducted some research. I found numerous Nepali YouTubers who had made videos on SajiloCV as part of paid promotions.
Exploring:
Curious about SajiloCV, I visited their website and noticed the absence of a registration page. Instead, they provided the option to log in using OAuth. Thus, I proceeded to log in using OAuth. The site was all about creating our resume and downloading it. I noticed there was an option to change our personal information so I simply changed my info and captured the HTTP request with burp.
Like you, I thought of trying to manipulate the request by changing the “id” parameter. I replaced the existing value of 91432 with a random number and forwarded the request. Unfortunately, my attempt was met with a disappointing 403 Forbidden error, indicating that the system did not allow unauthorized access to user information.
Another thing I did was editing my resume, I changed something in my resume and captured the HTTP request and tried changing the id parameter but again I got 403 forbidden error.
At that time I thought the site was fully secured and wasn’t vulnerable to IDOR but ….. There was an option to download our resume (Now you know what’s going to happen) I clicked on the download button and captured the HTTP request
I replaced 91432 with a random number and forwarded the request and I was expecting 403 forbidden but I got 200 OK response, indicating that I was able to download other users’ resumes., Damn how did it happen?
Steps to reproduce:
1 Go to https://app.sajilocv.com/user-profile/resume
2 Click on “Download resume” and capture the request with burp
3 Modify the number in the request and forward it
4 You will be able to download other’s resume
Reporting:
Now it’s time to report the issue. since they didn’t have a bug bounty program(they still don’t have). I sent an E-mail to them saying this
If you find a security issue in any website which doesn’t have a bounty program and you want to report the issue then I suggest you to do this instead of directly sharing the vulnerability with them.
After sometime I got an Email from then saying “We are interested in knowing about the issue” so after that I reported the vulnerability to them. They patched the vulnerability within 2 weeks and rewarded me for my discovery. (The feeling after getting a reward from a Nepali company)
Tip:
Whenever you add, update, or remove data, always remember to check for IDOR vulnerabilities.
I have also uploaded a proof-of-concept video on my YouTube channel. Feel free to check it out link
Bye:
Thank you for reading <3 I hope you found this write-up informative and gained some valuable insights.